June 9, 2014

McAfee And CSIS Study: Cybercrime Costs $445 Billion Each Year

Anyone who has been a victim of cybercrime knows that it can be costly in both time and money. A new study published on Monday found that the annual cost to the global economy was about $445 billion each year, with the damage to businesses and corporations exceeding the $160 billion lost to individuals from hacking.

The study, which was conducted by the Center for Strategic and International Studies (CSIS) and sponsored by McAfee, found that the conservative estimate would be $375 billion a year in losses while the maximum could be as high as $575 billion.

The world's largest economies bore the brunt of the losses with the toll on the United States, China, Japan and Germany exceeding $200 billion a year. Losses connected to personal information including stolen credit card information were reportedly around $150 billion.

The study, which is the first effort to analyze the costs of cybercrime, found that about 40 million people in the United States, which is roughly 15 percent of the total population, had some form of personal information stolen by hackers. High profile security breaches also affected about 20 million people in China, 16 million in Germany and an astonishing 54 million people in Turkey.

Cybercrime has a heavy cost on a company's performance and by effect to national economies. The CSIS noted that it can damage trade, competitiveness, innovation and global economic growth.

"Cybercrime is a tax on innovation and slows the pace of global innovation by reducing the rate of return to innovators and investors," said Jim Lewis of CSIS in a statement. "For developed countries, cybercrime has serious implications for employment. The effect of cybercrime is to shift employment away from jobs that create the most value. Even small changes in GDP can affect employment."

The study estimated that the Internet economy has annually generated between $2 trillion and $3 trillion, and this share of the global economy is expected to grow rapidly – however, cybercrime could extract between 15 percent and 20 percent of the value created by the Internet. Cybercrime's effect on intellectual property (IP) was noted for being particularly damaging – especially where IP creation and IP-intensive industries are important for wealth creation.

"It's clear that there’s a real tangible economic impact associated with stopping cybercrime," said Scott Montgomery, chief technology officer, public sector at McAfee. "Over the years, cybercrime has become a growth industry, but that can be changed, with greater collaboration between nations, and improved public private partnerships. The technology exists to keep financial information and intellectual property safe, and when we do so, we create opportunities for positive economic growth and job creation worldwide."

While McAfee has called for greater efforts to stop cybercrime following the report, the numbers themselves are not surprising to most security professionals. Part of the reason for the rise of cybercrime has been that it is low risk compared to other forms of criminal enterprise.

"The volumes of attacks are increasing because it is a profitable business model for organized crime," Mark Sparshott, EMEA director of security firm Proofpoint, told The Telegraph on Monday. "With cybercrime there is no risky getaway because the attack is routed through hundreds or thousands of PCs in dozens of countries, making it almost impossible to trace. The internet makes most attacks anonymous and untraceable and that is really attractive to cybercriminals."

For this reason cybercrime could likely increase.

"Cybercrime costs are big, and they're growing," Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report, told the Washington Post. "The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses."

This report utilized several methods to arrive at the range of estimates for the losses from cybercrime. This included interviews with officials in 17 major countries as well as published data from governments around the world. The figures included the cost of recovery following a cyber attack.

The $445 billion figure is also notable in that it is lower than the 2009 report released by McAfee that had pegged the annual losses from cybercrime as closer to $1 trillion. That number, the Washington Post reported, had been cited by the White House.

While the report did not single out any nation for supporting cybercrime, the United States has publicly accused the Chinese of being responsible. Last month the United States Department of Justice (DOJ) charged five Chinese officials with cyberspying.